java AES/CBC/PKCS5PADDING in php (AES-256-CBC) resulting different result

1
votes

Java AES/CBC/PKCS5PADDING function

public static String encrypt_key_data(String password, String message) {
    //password = 4lt0iD3biT@2O17l8
    //message = "{"key_id":"101","merchant_code":"65010A"}";

    Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5PADDING", "SunJCE");
    MessageDigest sha = MessageDigest.getInstance("SHA-1");
    byte[] hashedpassword = sha.digest(password.getBytes("UTF-8"));

    hashedpassword = Arrays.copyOf(hashedpassword, 16);

    SecretKeySpec key = new SecretKeySpec(hashedpassword, "AES");

    cipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(IV.getBytes("UTF-8")));
    byte[] encrypted;
    encrypted = cipher.doFinal(message.getBytes());

    return asHex(encrypted);
}

java function resulting value = 'bc26d620be9fa0d810e31e62b00a518f79524f6142b90550b9148d50a1ab94ba55671e68f6cf3ebc44dd6af12f566ee8'

PHP AES-256-CBC function

function encrypt($password, $iv, $data) { 
    $password = '4lt0iD3biT@2O17l8';
    $iv = 'AAAAAAAAAAAAAAAA';
    $data = '{"key_id":"101","merchant_code":"65010A"}';
    $encodedEncryptedData = (openssl_encrypt(($data), 'AES-256-CBC', fixKey(sha1($password)), OPENSSL_RAW_DATA, $iv)); 

    print_r(bin2hex($encodedEncryptedData));
}

function fixKey($key) {
    if (strlen($key) < 32) {
        //0 pad to len 32
        return str_pad("$key", 32, "0"); 
    }

    if (strlen($key) > 32) {
        //truncate to 32 bytes  
        return substr($key, 0, 32); 
    }
    return $key;
}

php function resulting value = 'cf20379c95a41429d4097f0ef7982c72a0d25c014cc09d93ba4a111bb9c11c38bc75d6c9f16cd9cb6545dc8c31560985'

I use same password and same IV, and i have read that AES/CBC/PKCS5PADDING is equivalent with AES-256-CBC. But why mine is resulting different result? Please tell me where is my fault

==============================================

solved. I need to hex2bin($key) then use the key to encrypt using aes

1
javaphpencryptionaes

1 Answers

0
votes

To do AES-256 you would need a 256 bit key, but you are only providing 128 bits - both in java with:

hashedpassword = Arrays.copyOf(hashedpassword, 16);

.. and in PHP with:

if (strlen($key) > 32) {
    //truncate to 32 bytes  
    return substr($key, 0, 32); 
}

as $key is a hexstring with only 4 bit per digit (4 * 32 = 128).

As Java deterts key length from the key provided, you end up with 128 bit encryption in Java. Exactly what PHP/Openssl ends up doing is a bit unknown as you provide conflicting information. You ask for AES-256-CBC but only provides a 128 bit key.

Also, you should not use a simple SHA1 to derive keys from passwords. Instead use a key deriving function like pbkdf2, or just use an actual binary key.